mirror of
https://github.com/grafana/grafana.git
synced 2025-02-25 18:55:37 -06:00
ci: Only run vuln scanner when Go deps are updated (#89433)
Signed-off-by: Dave Henderson <dave.henderson@grafana.com>
This commit is contained in:
parent
b7df121294
commit
1cc58d19f5
7
.github/workflows/trivy-scan.yml
vendored
7
.github/workflows/trivy-scan.yml
vendored
@ -1,9 +1,14 @@
|
|||||||
name: Trivy Scan
|
name: Trivy Scan
|
||||||
on:
|
on:
|
||||||
pull_request:
|
pull_request:
|
||||||
|
# only run on PRs where go.mod/go.sum/etc have been updated
|
||||||
|
paths:
|
||||||
|
- go.*
|
||||||
push:
|
push:
|
||||||
branches:
|
branches:
|
||||||
- main
|
- main
|
||||||
|
paths:
|
||||||
|
- go.*
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
trivy-scan:
|
trivy-scan:
|
||||||
@ -25,6 +30,8 @@ jobs:
|
|||||||
vuln-type: 'os,library'
|
vuln-type: 'os,library'
|
||||||
severity: 'CRITICAL,HIGH'
|
severity: 'CRITICAL,HIGH'
|
||||||
trivyignores: .trivyignore
|
trivyignores: .trivyignore
|
||||||
|
# for the PR check, ignore JS-related issues
|
||||||
|
skip-files: 'yarn.lock,package.json'
|
||||||
- name: Run Trivy vulnerability scanner (SARIF)
|
- name: Run Trivy vulnerability scanner (SARIF)
|
||||||
uses: aquasecurity/trivy-action@0.22.0
|
uses: aquasecurity/trivy-action@0.22.0
|
||||||
with:
|
with:
|
||||||
|
Loading…
Reference in New Issue
Block a user